Re: [Ideas] WG Review: IDentity Enabled Networks (ideas)

Stephen Farrell <> Fri, 06 October 2017 09:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4B36A13487E; Fri, 6 Oct 2017 02:32:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DUbpwdR7dDQq; Fri, 6 Oct 2017 02:32:22 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D91BF13487D; Fri, 6 Oct 2017 02:32:21 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 21922BE24; Fri, 6 Oct 2017 10:32:20 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TxCL7iKHtaAy; Fri, 6 Oct 2017 10:32:18 +0100 (IST)
Received: from [] ( []) by (Postfix) with ESMTPSA id 49E30BE38; Fri, 6 Oct 2017 10:32:17 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=mail; t=1507282337; bh=8neyMjmPuN9uOo+qlboyaUax4QCoJhr2aLzFQt0AIlY=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=UtdODxj52eSAN6WdofbX9W4jx0fPfMqKCI4ncBbWHkWwWVAe/dyNhWKQFe6mlAwh7 oiyzGfQcUnZo6m/pfSWnNjzPf9ExLnHKxOOj6cvJe6+B8buh+uQH0vdPK6ecP2QjQq XCUmnoKik8B4aTRFbR/DeXoWSmX5dn5dMisE+hno=
To: Georgios Karagiannis <>, Uma Chunduri <>, "Joel M. Halpern" <>, Benjamin Kaduk <>, Jari Arkko <>
Cc: "" <>, "" <>
References: <> <> <> <> <> <> <> <> <> <> <> <C5034E44CD620A44971BAAEB372655DC2DD336ED@lhreml502-mbs>
From: Stephen Farrell <>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <>
Date: Fri, 6 Oct 2017 10:32:16 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <C5034E44CD620A44971BAAEB372655DC2DD336ED@lhreml502-mbs>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="NoMbXAHSBFaRiUjdEtlIVKM7G4LXg8oIi"
Archived-At: <>
Subject: Re: [Ideas] WG Review: IDentity Enabled Networks (ideas)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussions relating to the development, clarification, and implementation of control-plane infrastructures and functionalities in ID enabled networks." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 06 Oct 2017 09:32:29 -0000


On 06/10/17 08:49, Georgios Karagiannis wrote:
> Hi all,
> Please note that I have looked into the output of the (concluded)
> IETF ABFAB WG. In order to answer many questions/concerns that have
> been raised during the previous IDEAS discussions, it might be useful
> to consider the results of the IETF ABFAB WG. 
> We could incorporate their concepts about identity and how identity
> can be established and leveraged in a distributed way able to satisfy
> trust and privacy concerns.

I have no clue how GSS-API is even relevant here. abfab
was a fine thing for JISC and friends to do to as a way
to try broaden the benefit they got from their existing
federated authentication setup, in their case involving
UK universities. It is not at all clear that that would
be even relevant if one wanted to build the kind of all
encompassing IdPs envisaged in the ideas charter/draft.
The relationships that university account holders have
with their own and other academic institutions and with
applications running in such environments (that being
the point of abfab) don't seem to me to generalise to
lower layers in any useful manner.

In any case, if this proposal is only now at the point
where you're starting to ponder the basic architecture
then I'd conclude it's nowhere near ready to charter.
(As well as being a bad idea from the privacy POV;-)

WGs for such decisions can be a good plan when there's
a few known architectural choices on the table, and if
different sets of folks need a venue to reach consensus
on which road to take - suggesting abfab at this point
sounds like floundering around looking for reasons to
exist tbh. (Sorry to be blunt and it may not be that,
but it appears to be that to me.)


> Best regards, Georgios
> -----Original Message----- From: Ideas
> [] On Behalf Of Uma Chunduri Sent:
> Thursday, October 05, 2017 7:05 PM To: Joel M. Halpern; Benjamin
> Kaduk; Jari Arkko Cc:; Subject: Re:
> [Ideas] WG Review: IDentity Enabled Networks (ideas)
> Hi Joel,
> In-line [Uma]:
> Best Regards, -- Uma C.
> -----Original Message----- From: Joel M. Halpern
> [] Sent: Wednesday, October 04, 2017 9:41
> PM To: Uma Chunduri <>om>; Benjamin Kaduk
> <>du>; Jari Arkko <> Cc:
>; Subject: Re: [Ideas] WG Review:
> IDentity Enabled Networks (ideas)
> You seem to be making some unstated assumptions.
> If by "Provider" in "Provider based AUTH" you mean the last hop
> communications service provider, then I would fundamentally disagree
> with you. [Uma]: I meant IdP and it's an orthogonal discussion if
> both roles played by same entity..
> The communication service provider has no role in creating or
> authenticating identifiers.  Their job is to provide locators. [Uma]:
> Absolutely.
> Now, those service providers may have an authentication relationship,
> based on some identifiers, in order to provide communications
> services. But the identifiers for that are completely uncoupled from
> and unrealted to the identifiers need for an ID / Locator system.
> Yes, if there is a provider of identifiers (not all systems even
> require that),
> [Uma]:  Yes, may be not all systems require that, especially if this
> is a local deployment.
> then the user of the identifier needs to have an appropriate
> relationship with the provider of the identifier. And that needs to
> be related to the authentication needed to update the mapping
> system. [Uma]: Yes.
> But neither of those require anything other than the identifier and
> suitable keying. [Uma]: If it's a local system simple keying is
> enough (in the expense of key management etc) as all devices may be
> managed by the same org.
> _______________________________________________ Ideas mailing list